A key disclosure law is a statute that lets the state require a person to reveal an encryption key, a password, or the decrypted contents of data. It is the legal counterpart to the technical debate over encryption backdoors. Rather than weakening the math, it routes around it by applying pressure to the human who holds the key. The cryptography stays intact; the compulsion targets you.
These laws vary widely, and the differences are not academic. The same encrypted laptop that triggers a courtroom fight over self-incrimination in one country produces a straightforward jail sentence for silence in another.
The United Kingdom: refusal is the offense
The clearest example is Part III of the UK's Regulation of Investigatory Powers Act 2000, known as RIPA. A Section 49 notice can require a person to disclose a key or put protected information into an intelligible form. Failing to comply is a criminal offense under Section 53, punishable by up to two years in prison in ordinary cases and up to five years in national-security or child-indecency matters.
This has produced real convictions of people who refused or claimed to have forgotten passwords. The notable feature is that the prosecution does not need to prove what the encrypted data contains. The crime is the non-disclosure itself. A defendant who genuinely cannot remember a passphrase is in a difficult position, because the law turns the inability to produce a key into something that looks, from the outside, like refusal.
Under a RIPA-style regime, encryption does not fail. The penalty shifts from "we read your data" to "you go to prison for keeping it closed." For some threat models that trade is acceptable, and for others it changes the entire calculation.
France and the compelled-decryption offense
France criminalizes refusing to hand over a decryption key to authorities under Article 434-15-2 of its penal code, when the encryption may have been used to prepare or commit a crime. Penalties include imprisonment and a substantial fine, with steeper consequences where disclosure could have prevented or limited a serious offense. French courts have wrestled with whether a phone unlock code counts as a "decryption key" within the meaning of the statute, and higher-court rulings have generally treated it as covered, bringing everyday device passcodes inside the law's reach.
Australia: pressure on companies and people
Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, often called TOLA, took a different route. It empowers authorities to issue notices compelling technology providers to assist with access, ranging from voluntary requests to mandatory technical-capability notices. The Act states that it cannot require a provider to build a "systemic weakness," a phrase that has been criticized as undefined enough to fight over. Alongside the corporate provisions, Australian law also provides mechanisms to compel individuals to assist with accessing devices.
The United States: an unsettled constitutional fight
The US has no general federal statute that simply orders you to decrypt. Instead the question runs through the Fifth Amendment's protection against compelled self-incrimination, and the courts have not reached a settled answer.
The central doctrine is the "foregone conclusion." If the government can already show it knows the data exists, that you control it, and that it is authentic, then compelling you to produce it may add nothing testimonial and can be ordered. If the act of producing or decrypting would itself reveal knowledge the government does not already have, courts are more likely to treat it as protected. The result is a genuine split: some courts have ordered defendants to decrypt, others have refused to, and the outcome can hinge on exactly how much the investigators already knew.
A recurring and unresolved twist in the US is the line between a passcode and a biometric. Several courts have treated compelling a memorized passcode as testimonial and protected, while treating a fingerprint or face scan as physical evidence that can be compelled, like a key or a blood sample.
That distinction has a direct practical consequence. A device unlocked by your face or finger may be openable by an officer holding it to you, while the same device behind a memorized passcode sits inside a much stronger, though still contested, legal protection. It is one of the few places where a settings choice maps cleanly onto a legal posture.
A rough comparison
| Jurisdiction | Posture on compelled disclosure |
|---|---|
| United Kingdom | Explicit statute (RIPA Part III). Refusal is a crime, up to 2 years, or 5 in defined cases. |
| France | Explicit offense (Art. 434-15-2). Refusing a key tied to a crime is punishable; passcodes generally covered. |
| Australia | Provider-assistance regime (TOLA) plus individual-assistance powers. No "systemic weakness," contested in scope. |
| United States | No general statute. Fifth Amendment governs; "foregone conclusion" applies; courts split, passcode vs biometric matters. |
What this means for your threat model
If legal compulsion is part of your threat model, encryption is necessary but not sufficient, and a few practical points follow.
- Borders are a special case. Device searches at a frontier often operate under reduced protections compared with the interior of a country. Our guide to crossing borders with devices covers the data-minimization approach of carrying as little as possible.
- Passcode beats biometric where compulsion is the risk. Given the legal split above, a memorized passphrase generally sits in a stronger position than a fingerprint or face unlock. Many devices also offer a quick way to force a passcode prompt.
- Deniability is fragile. Schemes like the hidden volumes in encrypted containers and the broader idea of deniable encryption aim to let you reveal one key while concealing another. They can help, but they are not a guaranteed defense, and in a RIPA-style regime an authority that believes more data exists can keep applying pressure.
- Minimize what travels with you. The data you do not carry cannot be compelled out of a device you do not have. Keep sensitive material on infrastructure you reach remotely rather than on the machine in your bag.
The deeper lesson is that privacy is never only a technical property. It is the interaction between what the cryptography guarantees and what the law in a given place permits a government to demand. Good encryption closes the technical door. Whether someone can lawfully order you to open it is a separate question, and the answer changes every time you cross a line on a map.